[chirp_devel] Yaesu FTM-10R
There isn't a programming cable for this radio but it can clone channels to other FTM-10R radios.
I don't think any Yaesu VHF/UHF radios have official programming software. That may have changed with the recent digital stuff, but before that, it was mostly third party software only.
Does anyone have 2 of these radios and the equipment to capture the cloning ?
You should be able to do it with just one radio. Unfortunately, all Yaesus pretty much implement a different protocol, which is really depressing. However, most of them are similar enough that you can kinda figure out what to do if you look at some of the other drivers.
So, start a clone and capture what it sends you. Try sending back an ack character (ASCII 0x06) or something and see if it barfs more data at you. Wash, rinse, repeat :)
--Dan
A quick scan of the manual seems to indicate its a "wireless-only" clone. https://www.yaesu.com/downloadFile.cfm?FileID=4483&FileCatID=150&Fil...
This suggests it is some sort of sequence of tones sent OTA. Older Kenwood HT's, e.g. TH-79A did something similar using sequence of DTMF tones transmitted to other radio. Because this is not serial- or file-based communication, Chirp currently doesnt have any support for it. Opinion and conjecture follow... I'm guessing it would be theoretically possible to write an OTA chirp driver, but it would likely have to accomplish two things:1. generate the actual (DTMF) tones for cloning to radio (either outputting to sound-card, or a wav file, etc which could be replayed via another radio), and2. decode (DTMF) tones received from master radio. This assumes that there is no real-time ack/verification. (Otherwise this would require some real-time radio interaction with a surrogate radio coupled to pc/chirp in order to rx/tx audio OTA to the clone target.) You would likely have to find some python modules which support this tone generation/decoding, or lash up something low-level, using python audio stream modules. -Jens From: Angus Ainslie via chirp_devel chirp_devel@intrepid.danplanet.com To: chirp_devel@intrepid.danplanet.com Sent: Wednesday, March 30, 2016 9:22 PM Subject: [chirp_devel] Yaesu FTM-10R
Hi AllThere isn't a programming cable for this radio but it can clone channels to other FTM-10R radios.Has anyone tried to reverse engineer this cloning ? Is it done via RF or Bluetooth ?Does anyone have 2 of these radios and the equipment to capture the cloning ?Thanks Angus _______________________________________________ chirp_devel mailing list chirp_devel@intrepid.danplanet.com http://intrepid.danplanet.com/mailman/listinfo/chirp_devel Developer docs: http://chirp.danplanet.com/projects/chirp/wiki/Developers
I agree that reverse engineering the ota clone protocol would be half the battle. For example, I recall seeing somewhere a while back that someone had already mapped this out for TH-79A, but cant seem to find it at the moment.One possible initial approach also comes to mind, assuming it is DTMF based, which might be useful for quick prototyping/testing: 1. Implement the file-based radio class to convert to/from a file-based, intermediate representation of the memory, i.e. sequence of dtmf digits in ascii txt file2. use some "off-the-shelf" executables/libs/etc to convert audio (direct output, wav file, etc) to/from the text file Integrating the conversion and management of audio representation output/file generation could be done separately if the initial approach works. This actually makes me want to do something for my wife's TH-79A, _if_ I can ever find that document...
From: Angus Ainslie angus@akkea.ca To: af5mi@yahoo.com Cc: "chirp_devel@intrepid.danplanet.com" chirp_devel@intrepid.danplanet.com Sent: Saturday, April 2, 2016 9:44 AM Subject: Re: [chirp_devel] Yaesu FTM-10R
Hi Jens,Thanks for the analysis. You've basically outlined what I was thinking of doing. I figured that I would need generate the DTMF/modem tones via the sound card and tx it through a different radio.I was hoping that if someone had 2 of them it would make it easier to reverse engineer any real time comms that might be going on.I picked up one of these now and it's a real pain to program so I'm going to start trying to figure out how the clone works.AngusOn Apr 1, 2016 1:34 PM, af5mi@yahoo.com wrote:
A quick scan of the manual seems to indicate its a "wireless-only" clone. https://www.yaesu.com/downloadFile.cfm?FileID=4483&FileCatID=150&Fil...
This suggests it is some sort of sequence of tones sent OTA. Older Kenwood HT's, e.g. TH-79A did something similar using sequence of DTMF tones transmitted to other radio. Because this is not serial- or file-based communication, Chirp currently doesnt have any support for it. Opinion and conjecture follow... I'm guessing it would be theoretically possible to write an OTA chirp driver, but it would likely have to accomplish two things:1. generate the actual (DTMF) tones for cloning to radio (either outputting to sound-card, or a wav file, etc which could be replayed via another radio), and2. decode (DTMF) tones received from master radio. This assumes that there is no real-time ack/verification. (Otherwise this would require some real-time radio interaction with a surrogate radio coupled to pc/chirp in order to rx/tx audio OTA to the clone target.) You would likely have to find some python modules which support this tone generation/decoding, or lash up something low-level, using python audio stream modules. -Jens From: Angus Ainslie via chirp_devel chirp_devel@intrepid.danplanet.com To: chirp_devel@intrepid.danplanet.com Sent: Wednesday, March 30, 2016 9:22 PM Subject: [chirp_devel] Yaesu FTM-10R
Hi AllThere isn't a programming cable for this radio but it can clone channels to other FTM-10R radios.Has anyone tried to reverse engineer this cloning ? Is it done via RF or Bluetooth ?Does anyone have 2 of these radios and the equipment to capture the cloning ?Thanks Angus _______________________________________________ chirp_devel mailing list chirp_devel@intrepid.danplanet.com http://intrepid.danplanet.com/mailman/listinfo/chirp_devel Developer docs: http://chirp.danplanet.com/projects/chirp/wiki/Developers
On 2016-04-02 11:14, af5mi@yahoo.com wrote:
I agree that reverse engineering the ota clone protocol would be half the battle.
I managed to capture the tones from a clone of the radio.
https://drive.google.com/file/d/0B12ZogJGIaPOZ3E5SlVjaVJrclE/view?usp=sharin...
To me it sounds more like modem tones than DTMF. I'm going to try some further analysis later today.
This actually makes me want to do something for my wife's TH-79A, _if_ I can ever find that document...
Good luck on finding the document. If there are more radios like this maybe there should be some kind of OTA interface for chirp.
To my ear, sounds like ASK/OOK, maybe about 1200 baud. Might be direct uart to rf. I'm guessing if you looked at the raw wav/pcm in an audio editor like audacity, you could see the bytes in 0s and 1s, but that might take a while to completely reverse it ;) If you have one of those rtl-sdr dongles (who doesn't?) then you could use something like rtl_433 (meant for decoding various rf switch/wx station/etc signals), run it in analyze mode and point it to the frequency where this radio does its thing. -Jens
From: Angus Ainslie angus@akkea.ca To: af5mi@yahoo.com Cc: chirp_devel@intrepid.danplanet.com Sent: Monday, April 4, 2016 7:53 AM Subject: Re: [chirp_devel] Yaesu FTM-10R
On 2016-04-02 11:14, af5mi@yahoo.com wrote:
I agree that reverse engineering the ota clone protocol would be half the battle.
I managed to capture the tones from a clone of the radio.
https://drive.google.com/file/d/0B12ZogJGIaPOZ3E5SlVjaVJrclE/view?usp=sharin...
To me it sounds more like modem tones than DTMF. I'm going to try some further analysis later today.
This actually makes me want to do something for my wife's TH-79A, _if_ I can ever find that document...
Good luck on finding the document. If there are more radios like this maybe there should be some kind of OTA interface for chirp.
On 2016-04-04 08:45, af5mi@yahoo.com wrote:
I'm guessing if you looked at the raw wav/pcm in an audio editor like audacity, you could see the bytes in 0s and 1s, but that might take a while to completely reverse it ;)
I looked at the spectrum analysis in audacity and nothing obvious jumped out.
If you have one of those rtl-sdr dongles (who doesn't?) then you could use something like rtl_433 (meant for decoding various rf switch/wx station/etc signals), run it in analyze mode and point it to the frequency where this radio does its thing.
Right ( I think I have 2 :) . I initially was going to go that way but then dropped it because it was only unidirectional but until I figure out the protocol that will work.
I've made a bit more progress with this. I've got a gnuradio companion flow graph that can FM demodulate the signal and then pulls out the ASK data.
Now I need to see if there is any coherency to the data that I'm capturing. I'm a little suspect that I'm decoding it correctly as it looks to only be about 3k for 5 clone messages. Further analysis needed.
This is a the raw RTL_SDR data of 5 clones. They should all contain the same data.
https://drive.google.com/open?id=0B12ZogJGIaPOd083TWtvbGs3UGc
This is the gnuradio companion flowgraph
https://drive.google.com/open?id=0B12ZogJGIaPObGhoV21ZanYzTkE
participants (3)
-
af5mi@yahoo.com -
Angus Ainslie -
Dan Smith